user zulip;

worker_processes auto;
pid /var/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

worker_rlimit_nofile 1000000;
events {
    worker_connections <%= @worker_connections %>;

    use epoll;

    multi_accept on;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    client_max_body_size 80m;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format combined_with_host_and_time '$remote_addr - $remote_user [$time_local] '
                                           '"$request" $status $body_bytes_sent '
                                           '"$http_referer" "$http_user_agent" $host $request_time';
    access_log /var/log/nginx/access.log combined_with_host_and_time;
    error_log /var/log/nginx/error.log;

    reset_timedout_connection on;

    gzip on;
    gzip_proxied any;
    gzip_comp_level 3;
    gzip_types
      application/javascript
      application/json
      application/xml
      application/x-javascript
      image/svg+xml
      text/css
      text/javascript
      text/plain;
    gzip_vary on;

    # https://wiki.mozilla.org/Security/Server_Side_TLS intermediate profile
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate <%= @ca_crt %>;


    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
